FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
ssener
Staff
Staff
Article Id 198974
Description This article describes how to check the Certificate Validity & Certificate expiration date on managed Fortigates centrally from Fortimanager API.
Scope  
Solution

The following certificate (SelfSigned-SubCA) installed on Fortigate to perform deep inspection.

ssener_0-1637227007708.png

 

 

It is possible to keep track of individual certificate's expiration dates via FMG / FMG API if the device in question is managed by Fortimanager.

The screenshot below demonstrates that Fortimanager also has the information regarding the certificate such as expiration date , serial number etc.

ssener_1-1637227102276.png

 

 

This information can be tracked via Fortimanager with two methods :

 1- Directly via an api Query.

{

  "id": 1,

  "method": "get",

  "params": [

    {

      "data": [

      ],

      "url": "/pm/config/device/FG3H0E-4/vdom/root/vpn/certificate/local/"

    }

  ],

  "session": "G+mzYAGgD4pNB1LD9bpOcUhCQLgotAJ+pZo6uyUNqnet2DwfsqX6Tjj0mm+xk5/yEiCUOm+1LTHF8d+3uASDhQ=="

}

 

The above query would list all the Local certificates in root dvdom of the device “FG3H0E-4” on Fortimanager.

 

It is also possible to query certificate attributes individually by using their names in the API query such as : "/pm/config/device/FG3H0E-4/vdom/root/vpn/certificate/local/SelfSigned-SubCA" where SelfSigned-SubCA is the name of the certificate located in root vdom.

ssener_2-1637227180635.png

 

The output will return the expiration date of the certificate.

2- The second method would be to run a script directly on Fortigate which would collect the same attributes and query the script result via API.

 

ssener_3-1637227180681.png

 

ssener_4-1637227180684.png

 

 

As it is a script that runs on Fortigate directly, it would be possible to schedule it as well.

Having collected the certificate attributes on Fortimanager script output, all need to be done is query this information via API.

 

{

  "id": 1,

  "method": "get",

  "params": [

   {

      "data": [

 

      ],

      "url": "/dvmdb/adom/TEST-CERT/script/log/latest/device/FG3H0E-4/"

    }

  ],

  "session": "G+mzYAGgD4pNB1LD9bpOcUhCQLgotAJ+pZo6uyUNqnet2DwfsqX6Tjj0mm+xk5/yEiCUOm+1LTHF8d+3uASDhQ=="

}

ssener_5-1637227180692.png

 

The second approach can be leveraged to collect many information from all the managed Fortigates centrally.

Detailed information regarding API usage can be found in https://fndn.fortinet.net/ 

Contributors